Password Settings 


| Name 
Password validity period (in days): Passwords expire at the end of this penod 
Password length: Minimum required number of characters in a password 


unii 


A password must be significantly different from last password used 


A password must include capital letters 


A password must include numbers 


A password must include lower case letters 


Apassword must include non alpha-numeric characters 


Number of previous passwords a password must be different from 


imperva 


HOME 


NEW SUPPORT CASE 
| My Profile 
My Company 


Environments 
& Licenses 


Manage 
Notifications 


Software 
Updates 


Compliance | 
Certifications 


SUPPORT CASE HISTORY 


My Profile 


KNOWLEDGE & DOCUMENTATION 


First Name 


Pravin 


Security Analyst 


Email 


wafsupport@icicibank.com 


Address 


Lexington, Hiranandani Business P... 
Thane, Maharashtra 400607 
India 


et your password 


IMPERVA COMMUNITY 


TRAINING 


Last Name 
Belose 
Company 


SATTRIX INFORMATION 
SECURITY PVT.LTD 


lame 


Mobile 
(983) 302-9628 


o 
c 
6 


-70 0 0 o o 3: 


PRAVIN BELOSE 


a 


DOWNLOADS 


For access to configuration changes we login through below mentioned server 


whitelisted IPs. 


@ ©  & Privileged Account Management X 


< 


Q 


My Access 


About 


4b 


© | A Notsecure | arcos.icicibanklitd.com/frm 


a 


Siddhesh Ghone /Ext/Tig/Ibank/Thane 


Dy I 


© 


My Services 


LOB 


DEFAULT LOB 


My Tags 


- 


Filter Show 


Service Type 


Windows RDP 


Windows RDP 


Windows RDP 


10 ~v entries 


Host Name 


HYDISALOGSVR2 


HYDISALOGSVR_OSU 


JPR-FW-MGMT 


Showing 1 to 3 of 3 entries 


Service Type 


>, --Select— 


Host IP 


192.168.120.36 


192.168.120.37 


192.168.41.30 


Username 


OP_3440 


OP_3440 


OP_3440 


IP Address / Host Name 


Domain Instance 


HYDISALOGSVR2 


HYDISALOGSVR_OSU 


JPR-FW-MGMT 


Q QuickSearch 


a| Allservices x My Favourite 
Search: 
Description 1 Description 2 Description 3 E 
218984 > mh» * G 
218985 > k G 
219426 > 8 Ed 


E] DRWAF-JAI-GRP,IMPVHA Bridge, Imperva (2) 
JAI-INT-N1FS2-PRI-WAF 


JAI-INT-N2SAN2-SEC-WAF 


Running Yı 
Running Y 


3/171 


3 1:52:05 AM 0% |X10K2 Physical 
8:44:34 PM 0° 


6 X10K2 |Physical 


Action Set name: SNMP_MONITORING 


© + SNMP Trap (SNMP Trap > SNMP V3 _ 10.52.8.52_solarwind_New) 
Name: 
SNMP V3 _ 10.52.8.52_solarwind_New 
Parameter Value 
SNMP Host 10.52.8.52 
SNMP Port 161 
Run on Every Event v] 
SNMP Community String 1c1c12011 
©] + SNMP Trap (SNMP Trap > SNMPV3_Solarwinds_New_10.50.207.20) 
Name: 
SNMPV3_Solanwinds_New_10.50.207.20 
Parameter Value 
SNMP Host 10.50.207.20 
SNMP Port 161 
Run on Every Event 
SNMP Community String 1c1¢12011 
©] + SNMP Trap (SNMP Trap > SNMPV3_Solarwinds_New_10.50.207.22) 
Name: 
SNMPV3_Solarwinds_New_10.50.207.22 
Parameter Value 
SNMP Host 10.50.207.22 
SNMP Port 161 
Run on Every Event v] 
SNMP Community String 1c1c12011 
E + SNMP Trap (SNMP Trap > SNMPV3_Solarwinds_New_10.74.205.24) 
Name: 
SNMPV3_Solarwinds_New_10.74.205.24 
Parameter Value 
SNMP Host 10.74.205.24 
SNMP Port 161 


Gateway: JAI-INT-N2SAN2-SEC-WAF lelSave 


Gateway [Status | Active | Up Since CPU [Model | Appliance Type 
E DRWAF-JAI-GRP,IMPVHA Bridge, Imperva (2) 

JAI-INT-N 1FS2-PRI-WAF Running Yes 3/17/23 1:52:05 AM 0% X10K2_ Physical 
JAI-INT-N2SAN2-SEC-WAF Running Yes 4/9/23 8:44:34 PM 2% X10K2 Physical 


HYD-DMZ-NR4NR8-WAF SEC103,IMPVHA Bridge, Imperva (0) 


E HYD-DMZ-NW3NR5-WAFPRI102,IMPVHA Bridge, Imperva (1) 
HYD-DMZ-NW3NR5-WAFPRI102 Running Yes 4/28/23 1:53:51 AM 0% X10K2 Physical Details 
E HYDWAF1,IMPVHA Bridge, Imperva (1) —— General Info = 
HYDWAF1 Running Yes 5/5/23 11:29:14 PM 0% X8510 Physical Management Interface IP 192.168.41.177 
Installed Version: 14.7.0.20_0 
E HYDWAF2,IMPVHA Bridge, Imperva (1) Up Since: 4/9/23 8:44:34 PM 
HYDWAF2 Running Yes 5/14/23 12:55:19 AM 22% X10K2 Physical License Level: Enterprise Edition 
Performance Report (CSV): (Downiead_} 
E NDRWAF-HYD-GRP,IMPVHA Bridge, Imperva (2) 
NDR-DMZ-INT-R1NR1-WAF-1 Running Yes 4/21/23 11:34:56 PM 3% X8510 _| Physical Tech Info (ZIP): 
NDR-DMZ-INT-R2NR1-WAF-2 Running Yes 4/23/23 7:53:44 AM 50% X10K2_— Physical Group- 
Gateway Group: | DRWAF-JAI-GRP v 
Errors 


Server Group: DR > ICICI_Bank_DR 


Definitions || Services And Ports || Servers || nents || Applied ponas | 


Name: [ICICI _Bank_DR 


—— Operation 
Mode: ( 


O)Disabled 


imperva Damn 2 @ 


Users & Permissions Sess s ADC System Definitions Jobs Status Maintenance System Performance  Inter-element Communication Action v 


Licensing 


—Manual ADC Update: 


‘Current ADC Content: 
Last update from ADC was on -July 31, 2023 7:04:43 PM 
Download ADC content package to the client machine Ema « 
Item sum 
pe = ~ Dictionaries 40 
[ Choose Fie ] No fie chosen Signatures 6974 
Attack Signatures 2497 
Upload available ADC content to SecureSphere 
Protocol a 
Item Sum 
— Automatic ADC Update- Protocols 309 
Global Port List 2 
Occurs i 
pa ~ " Policy A 
® ) 
® None (O Recurring Item — 
Job is not scheduled. Policy 303 
Report EN 
Update Now Item [Sum 
Report 103 


For Gateways 


Action Set name: Log to Syslog =) 


Selected Actions 
3+ Security Event Log (Gateway Security System Log > Alerts) 

Name: 

Alerts 

Parameter Value 

Protocol TCP v 
Primary Host 192.168.120.210 

Primary Port [514 

Secondary Host 192.168.41.74 

Secondary Port 514 

Syslog Log Level INFO v 

LEEF:1.0|imperva|SecureSphere|$(SecureSphereVersion}|S{Alert slertType} S{Alert immediateAction}{Alert |D=S{Alert.dn}|devTimeFormat=[see note]idevTime=5) 
Facility SYSLOG v 
Evidence 


Alert 21256654: Distributed Rate Limiting imobile_2 


Immediate Block 
Log to Syslog: A message was written to the system log from the Gateway, Syslog primary 
host = 192.168.120.210. Syslog secondary host = 192.168.41.74 (August 18, 2023 5:37:00 


saan / 


Knowledge Base 


Aggregated from 05:37:00 (1 hour(s), 50 minute(s)), 11284 violations (last updated 07:26... 2l 


4.6k 
Lo 


Alert aggregated by: Statistical Information: 

Distinct value for: | Value | Based on the first 1.402 violations 

Custom Rule Rate Limiting imobile_2 Key | Value 

Immediate Action Block Source GeoLocations 1 al 

Server Group ICIC|_Bank_Tier_4 New IPs a| 
Sessions al 
URLs al 
User Agents 8 £| 
Web User 

Violations: 

| Source IP_ [Session] User] URL [Response Cod 

© 192.168.1.5 NWA /mfp/api/adapters/accountsjava/resource/icast01 

© 192.168.1.5 WA imfp/api/adapters/depositsjava/resource/icfds01 

© 192.168.1.5 N/A /mfp/api/adapters/services/icimmid01 

© 192.188.1.5 WA imfp/api/adapters/activationencoded/rract04 

© 192.168.1.5 NA imfplapi/adapters/creditcard/icces01 

E 192.168.1.5 N/A İmfolapiladapters/creditcard/icies01 

© 192.168.1.5 N/A imfp/api/adapters/accounts/icast01 

© 192.168.1.5 NWA imfp/api/adapters/accounts/icast01t 

© 192.168.1.5 N/A /onfp/api/adapters/upijava/resource/icmngvps01 

© 182.168.1.5 NA imfplapilclientlogproñile/com.icicibank.imobile/ios/11.2 

© 182.168.1.5 N/A imfp/api/clientioaprofile/com.icicibank.imobile/ios/11.2 y 


For Login and Configuration logs 


(Action Set name: SEM_EVENTS 


= 


Pormsisises nojise ime: 


= 


Yes, The attacks are monitored in SIEM. 


At a time traffic will flow in single path only. 


Gatewa Status Active | Up Since CPU | Model Appliance Type 


E] DRWAF-JAI-GRP,IMPVHA Bridge, Imperva (2) 
JAI-INT-N1FS2-PRI-WAF Running Yes 3/17/23 1:52:05 AM 0% X10K2 Physical 
JAI-INT-N2SAN2-SEC-WAF Running Yes 4/9/23 3:44:34 PM 1% X10K2 Physical 


Alerts All_Alerts ©  8AN335044 Every 1 days at 3:00 AM starting from 4/25/23 
System Events System_Events © admin Every 1 days at 2:15 AM starting from 1/5/23 


External Systems save 
Name \- EJI Type Enabled Usage Count 
E EXT_RADIUS_AUTH RADIUS Authentication 1 


Default Error Page 
Use Default Error Page 


Redirect (for example: http://www.mywebapp.com/errorpage. html) 


@® Page 

<!IDOCTYPE html PUBLIC "“/W3C//DTD XHTML 1.0 Transitional//EN" "hitp-/www.w3.org/TR/xhtml1/DTDixhtm1-transitional.dtd"><htm! xmins="hitp://www.w3.org/1990/xhtml"><head><META HTTP- 
EQUIV="CONTENT-TYPE" CONTENT="TEXT/HTML; CHARSET=utf-8"/><title>Error</title> </nead><body><H2>Eror</H2><table summary="Error” border="0" bocolor="#F EEE7A" cellpadding="0" 
cellspacing="0" width="400"><tr><td><table summary="Error" border="0" cellpadding="3" cellspacing="1"><tr valign="top” bgcolor="#F BFFDF" align="left"><td><STRONG>Errors/STRONG> </td></tr> <tr 
valign="top” bgcolor="#F FFFFF"><td>This page can't be displayed. Contact support for additional infammatinn <br/>The incident ID is: SEVENT_ID) s/td></tr></table></td></tr></table></body></ntmi> 
HTTP Response Code 

200 OK 


Error 


This page can't be displayed. Contact support for additional 
information. 
The incident ID is: 7225061619249372544. 


Gateway 


. 
imperva Discovery & Classification Setup Profile Risk Management Policies Reports Monitor Threat Intelligence Reputation Intelligence Jain 2° @> 
= ———s 
Dashboard Ale olatio e e Blocked Sources Blocked Sources (Ne onito e Actio 
ThreatRadar w CPULoad w Throughput (Mbit/sec) Alerts per Severity (Filtered) 
@ Can't reach Threat Intelligence servers 1.0k I i 1 
100 E HYD-DMZ-NW3NR5-WAFPRI102 - 06:36:40AM 0 
E HYDWAF1 - 06:36:40 AM 0 
E HYDWAF?2 - 06:36:40 AM 397 
Go to ThreatRad. E JAI-INT-N1FS2-PRI-WAF - 06:36:40 AM 0 
O to reatRadar > A 
as Abe ari JAI-INT-N2SAN2-SEC-WAF - 06:36:40 AM 85 
‘ways 
ey IE NDR-DMZ-INT-R1NR1-WAF-1 - 06:36:40 AM 0 
! Hiemer CPU. NDR-DMZ-INT-R2NR1-WAF-2 - 06:36:40 AM 526 |___ 
[__ HYD-DMZ-NW3NR5-WAFPRI102 0 ~ Latest Alerts (All) a 5 sts A 
O  HyowaFi 0 z 
A HYDWAF2 17 |W |© | update Type |Server Group Service Application Source IP Description 
JALINT-N1FS2-PRI-WAF (] | w | © [063745 Peay _|ICICL_Bank_ler_4 VICICI_Bank_ier_4_iMobileNXT | Multiple Distributed Rate Limiting imobile _Z 
JAI-INT-N2SAN2-SEC-WAF 0 — 
AARAA T 3 LI 06:37:33 #8 |ICICIBank_2 ICICIBank_2 ICON | 13.51.70.10 Ysoserial Java Object Deserialization 
NDR-DMZ-INT-R2NR1-WAF-2 44 E| o [06:37:33 Bq [ICICIBank_2 ICICIBank_2 Multiple [13.51.70.10 Multiple signatures from 13.51.70.10 
E eaa & a |ICICIBank_Critical_JICICIBank_Critical_ Multiple | 147.182.165.217 | Multiple signatures from 147.182.165.217 
W | o [06:3724 8 @ |ICICIBank_Critical_jICICIBank_Critical_] | 147.182.165.217 _ | Multiple Cross-site scripting from 147.182.165.217 
Server Groups | Selected Gateway Info E| © (06:3724 Aa |ICICIBank_5 ICICIBank_5 Multiple | Multiple Distributed Suspicious File Extension Access 
k E| © [06:37:24 Oa |RIB_HTTP RIB_HTTP Multiple | Multiple Distributed Rate limiting_RIB 
Up since March 17, 2023 1:52:05 AM i 06:37:23 a | ICICIBank_Critical_j ICICIBank_Critical_2 Multiple | Multiple Distributed Too Many Headers per Response 
In z HTP HE 06:37:15 B a |Icici_Bank ICICI_Bank Work Force Manage Multiple Multiple Unauthorized Request Content Type: 'text/x-gv charset= 
ame onn 9 7 - L a Siinain —— aiia = 
‘kf 3D-secure DR J o | |e [0:3715 ÆSA [ICICI-Bank-HTTP-T{ ICICI-Bank-HTTP-Ti Multiple | Multiple Distributed Directory Traversal (In Cookies/Parameters Value) 
f 3DS_DR 0 o HW] © [06:37:15 & & |ICICI_Bank_Tier_4-] ICIC|_Bank_Tier_4-]OAP AMAZON CBC 159.223.146.94 [Multiple signatures from 159.223.145.94 
M Ge a e He [06:3702 #8 |RIB_HTTP RIB_HTTP Multiple | Multiple Distributed Rate limiting RIB 
<% CAPS_DR o o E| © [06:37:02 ASE |RIB_HTTP RIB_HTTP RIB | Multiple Distributed Rate limiting RIB 2 
f CIB_DR 0 o E e /06:3702 8 & |ICICI_Bank_Tier_4-] ICICI_Bank_Tier_4-] OAP AMAZON CBC 159.223.146.94 Multiple Cross-site scripting from 159.223.146.94 
< CPCAssetsNew, oO 0 
<f DR_Active_Appi 0 o 
4% DR_Active_Appl o o 
 DirectBanking_C oO 0 
<2 oao An a a 
„System Performance 3| Management Server 
Ey All MX Tech Info 
Management Server a = 
Choose Time Frame (@) View Last Hour (View Last Day 
Gateways & Agents 
CPU Load Percentage Over Time By Component 
= GUI and Gateway 
‘Communication 
100 HE Monitoring 
Learning 
E Audit 
80 E Jobs 


60 Hi GUI and Gateway Communication - 08/18/2023 33 
Wi Audit - 08/18/2023 0 
40 Ml Followed Actions - 08/18/2023 0 
i I Gateway Updates - 08/18/2023 0 
3 m E Jobs - 08/18/2023 1 
j E Learning - 08/18/2023 25 
0 HB Monitoring - 08/18/2023 39 

05:39 05:45 06:00 06:15 06:30 06:35 


Machine Load Over Time- 


6.3 


